This example uses the personalblog-demo project and uses the Tainting Checker to verify that user input does not contain SQL statements to avoid SQL injection. (If you have not already done so, download the tutorial sourcefiles.)
Please see the manual for a complete discussion of using the Checker Framework and the Ant build tool. Below is the output of the buildfile
$ ant Buildfile: .../personalblog-demo/build.xml clean: check-tainting: [mkdir] Created dir: .../personalblog-demo/bin [jsr308.javac] Compiling 2 source files to .../personalblog-demo/bin [jsr308.javac] javac 1.8.0-jsr308-1.8.5 [jsr308.javac] .../personalblog-demo/src/net/eyde/personalblog/service/PersonalBlogService.java:175: error: incompatible types in argument. [jsr308.javac] "where post.category like '%", category, [jsr308.javac] ^ [jsr308.javac] found : @Tainted String [jsr308.javac] required: @Untainted String [jsr308.javac] 1 error BUILD FAILED .../personalblog-demo/build.xml:35: Compile failed; see the compiler error output for details. Total time: 2 seconds
The checker issues an error for
.getPostsByCategory()
because a possibly tainted string category is used in the query
construction.
To correct this, add @Untainted
to category parameter declaration.
public List<?> getPostsByCategory(@Untainted String category) throws ServiceException {This forces clients to pass an @Untainted value, which was the intention of the designer of the getPostsByCategory method.
$ ant Buildfile: .../personalblog-demo/build.xml clean: [delete] Deleting directory .../personalblog-demo/bin check-tainting: [mkdir] Created dir: .../personalblog-demo/bin [jsr308.javac] Compiling 2 source files to .../personalblog-demo/bin [jsr308.javac] javac 1.8.0-jsr308-1.8.5 [jsr308.javac] .../personalblog-demo/src/net/eyde/personalblog/struts/action/ReadAction.java:58: error: incompatible types in argument. [jsr308.javac] pblog.getPostsByCategory(reqCategory)); [jsr308.javac] ^ [jsr308.javac] found : @Tainted String [jsr308.javac] required: @Untainted String [jsr308.javac] 1 error BUILD FAILED .../personalblog-demo/build.xml:35: Compile failed; see the compiler error output for details. Total time: 2 seconds
There is an error in
ReadAction.executeSub()
, which is a client of
getPostsByCategory
. The
reqCategory
is accepted from t he user (from request object) without validation.
validate
method
as shown below.
String reqCategory = validate(cleanNull(request.getParameter("cat")));
$ ant Buildfile: .../personalblog-demo/build.xml clean: [delete] Deleting directory .../personalblog-demo/bin check-tainting: [mkdir] Created dir: .../personalblog-demo/bin [jsr308.javac] Compiling 2 source files to .../personalblog-demo/bin [jsr308.javac] javac 1.8.0-jsr308-1.8.5 BUILD SUCCESSFUL Total time: 2 seconds